Opened 8 years ago
Closed 6 years ago
#27863 closed New feature (fixed)
Implement "SameSite" flag for session and CSRF cookies
Reported by: | Alex Gaynor | Owned by: | Paweł Krawczyk |
---|---|---|---|
Component: | HTTP handling | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | yes |
Easy pickings: | no | UI/UX: | no |
Description
SameSite is a mechanism for telling browsers not to send a cookie on requests with a different origin. It's not yet widely supported to the point of being the only CSRF protection (http://caniuse.com/#feat=same-site-cookie-attribute), but at 50% global deployment, it'd be very useful for Defense in Depth.
https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00
I believe simply adding SameSite=lax
to the session cookie is all that'd be required to get this protection, and I don't think there'd be any backwards compatibility concerns (<---- almost certainly not this simple).
Change History (7)
comment:1 by , 8 years ago
comment:2 by , 7 years ago
Owner: | changed from | to
---|---|
Status: | new → assigned |
This can be implemented in HttpResponse.set_cookie() alone. I have just sent a pull-request on GitHub for that.
comment:4 by , 7 years ago
Version: | 1.10 → master |
---|
comment:5 by , 7 years ago
Component: | contrib.sessions → HTTP handling |
---|---|
Needs documentation: | set |
Needs tests: | set |
Patch needs improvement: | set |
Summary: | Implement "SameSite" flag for session cookies → Implement "SameSite" flag for session and CSRF cookies |
comment:6 by , 7 years ago
Needs documentation: | unset |
---|---|
Needs tests: | unset |
New PR (still needs some work)
Note: this requires a change to the stdlib
cookies
module: https://github.com/python/cpython/pull/214 I suspect with some hackery this can be worked around in Django though.